mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 07:21:36 +01:00
fix(ox-connector): Update OX Connector and OX Extension to v0.27.2; review migrations.md for required upgrade steps
This commit is contained in:
Norbert Tretkowski
committed by
Thorsten Roßner
Thorsten Roßner
parent
489986e906
commit
9d51e40063
@@ -77,7 +77,7 @@ configured to use the aforementioned OpenLDAP.
|
||||
|
||||
When the user is authenticated by Keycloak, the portal shows the applications the user is permitted to access.
|
||||
|
||||
The user can now access applications and use the corresponding functionality without the need to authenticate
|
||||
The user can now access applications and use the corresponding functionality without the need to authenticate
|
||||
again. This is implemented using the OpenID Connect (OIDC) protocol.
|
||||
|
||||
# Nubus (IAM)
|
||||
@@ -443,7 +443,7 @@ While the IAM manages users centrally, some applications come with local account
|
||||
| Element | `uvs` | The account for the "User Verification Service". It is used by Jitsi integrated into Element. | `secrets.matrixUserVerificationService.password` |
|
||||
| | `meeting-bot` | Used by the Nordeck Meeting-Bot to manage meeting rooms in Synapse. | `secrets.matrixNeoDateFixBot.password` |
|
||||
| Nextcloud | `nextcloud` | Bootstrap the Nextcloud fileshare for OpenProject with `opendesk-openproject-bootstrap` job[^1]. | `secrets.nextcloud.adminPassword` |
|
||||
| OX App Suite | `admin` | OX-Connector to provision context, users, groups etc. | `secrets.oxAppsuite.adminPassword` |
|
||||
| OX App Suite | `admin` | OX Connector to provision context, users, groups etc. | `secrets.oxAppsuite.adminPassword` |
|
||||
| OpenProject | set in `secrets.openproject.apiAdminUsername` | Bootstrap the Nextcloud fileshare for OpenProject with `opendesk-openproject-bootstrap` job[^1]. | `secrets.openproject.apiAdminPassword` |
|
||||
| XWiki | `superadmin` | Only available with `debug.enabled: true`, can be used for interactive login using `/bin/view/Main/?oidc.skipped=true`. | `secrets.xwiki.superadminpassword` |
|
||||
|
||||
|
||||
@@ -65,12 +65,12 @@ This chapter presents APIs available in openDesk, grouped by application.
|
||||
|
||||
# IAM - Nubus
|
||||
|
||||
|
||||
|
||||
[Source](https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/overview/components.html#overview-components-fig)
|
||||
|
||||
## UMC Python API
|
||||
|
||||
|
||||
|
||||
[Source](https://docs.software-univention.de/developer-reference/latest/en/umc/architecture.html#umc-api)
|
||||
|
||||
| Name | UMC Python API |
|
||||
@@ -143,7 +143,7 @@ More details on the Nubus provisioning service can be found here: https://docs.s
|
||||
|
||||
## UDM Simple API
|
||||
|
||||
|
||||
|
||||
[Source](https://docs.software-univention.de/architecture/latest/en/services/udm.html#architecture-model-udm)
|
||||
|
||||
| Name | UDM Simple API |
|
||||
@@ -180,7 +180,7 @@ More details on the Nubus provisioning service can be found here: https://docs.s
|
||||
|
||||
## UCR Python API
|
||||
|
||||
|
||||
|
||||
[Source](https://docs.software-univention.de/architecture/latest/en/services/ucr.html#services-ucr-architecture-model)
|
||||
|
||||
| Name | UCR Python API |
|
||||
@@ -200,7 +200,7 @@ More details on the Nubus provisioning service can be found here: https://docs.s
|
||||
|
||||
## Identity Store and Directory Service (LDAP)
|
||||
|
||||
|
||||
|
||||
[Source](https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/components/identity-store.html#component-identity-store-figure)
|
||||
|
||||
| Name | Identity Store and Directory Service (LDAP) |
|
||||
@@ -220,7 +220,7 @@ More details on the Nubus provisioning service can be found here: https://docs.s
|
||||
|
||||
## Nubus Provisioning Service
|
||||
|
||||
|
||||
|
||||
[Source](https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/components/provisioning-service.html#component-provisioning-service-complete-figure)
|
||||
|
||||
| Name | Nubus Proisioning Service |
|
||||
@@ -229,7 +229,7 @@ More details on the Nubus provisioning service can be found here: https://docs.s
|
||||
|
||||
## Nubus Authorization Service
|
||||
|
||||
|
||||
|
||||
[Source](https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/overview/interfaces-protocols.html#authorization-service)
|
||||
|
||||
| Name | Nubus Authorization Service |
|
||||
@@ -288,7 +288,7 @@ The following are the APIs used by the Groupware application:
|
||||
| In openDesk provided by | OX AppSuite Middleware |
|
||||
| Transport protocol | HTTP(S) |
|
||||
| Usage within component | none |
|
||||
| Usage within openDesk | OX-Connector synchronizes the state of the objects (users, groups etc.) managed in the LDAP. |
|
||||
| Usage within openDesk | OX Connector synchronizes the state of the objects (users, groups etc.) managed in the LDAP. |
|
||||
| Usage for external integration | none |
|
||||
| Parallel access | Allowed |
|
||||
| Message protocol | XML based, exactly following the format of Java RMI. |
|
||||
|
||||
@@ -104,8 +104,8 @@ XWiki,PersistentVolume,1
|
||||
| | | Yes | OX Guard related settings | `oxguard*` | |
|
||||
| | S3 | Yes | Attachments of meetings, contacts and tasks | `openxchange` | |
|
||||
| | Redis | Optional | Cache, session related data, distributed maps | | |
|
||||
| | PVC | Yes | OX-Connector: OXAPI access details | `ox-connector-appcenter-ox-connector-0` | `/var/lib/univention-appcenter/apps/ox-connector` |
|
||||
| | | Yes | OX-Connector: Application's meta data | `ox-connector-ox-contexts-ox-connector-0` | `/etc/ox-secrets` |
|
||||
| | PVC | Yes | OX Connector: OXAPI access details | `ox-connector-appcenter-ox-connector-0` | `/var/lib/univention-appcenter/apps/ox-connector` |
|
||||
| | | Yes | OX Connector: Application's meta data | `ox-connector-ox-contexts-ox-connector-0` | `/etc/ox-secrets` |
|
||||
| **Postfix** | PVC | Yes | Mail spool | `postfix` | `/var/spool/postfix` |
|
||||
| **XWiki** | PostgreSQL | Yes | Application's main database | `xwiki` | |
|
||||
| | PVC | Yes | Attachments | `xwiki-data-xwiki-0` | `/usr/local/xwiki/data` |
|
||||
|
||||
@@ -10,9 +10,12 @@ SPDX-License-Identifier: Apache-2.0
|
||||
* [Deprecation warnings](#deprecation-warnings)
|
||||
* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
|
||||
* [Manual checks/actions](#manual-checksactions)
|
||||
* [v1.7.0+](#v170)
|
||||
* [Post-upgrade to v1.7.0+](#post-upgrade-to-v170)
|
||||
* [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes)
|
||||
* [v1.6.0+](#v160)
|
||||
* [Pre-upgrade to v1.6.0+](#pre-upgrade-to-v160)
|
||||
* [Upstream contraint: Nubus' external secrets](#upstream-contraint-nubus-external-secrets)
|
||||
* [Upstream constraint: Nubus' external secrets](#upstream-constraint-nubus-external-secrets)
|
||||
* [Helmfile new secret: `secrets.minio.openxchangeUser`](#helmfile-new-secret-secretsminioopenxchangeuser)
|
||||
* [Helmfile new object storage: `objectstores.openxchange.*`](#helmfile-new-object-storage-objectstoresopenxchange)
|
||||
* [OX App Suite fix-up: Using S3 as storage for non mail attachments (pre-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-pre-upgrade)
|
||||
@@ -94,6 +97,8 @@ This section should provide you with an overview of what changes to expect in th
|
||||
|
||||
- `functional.portal.link*` (see `functional.yaml.gotmpl` for details) are going to be moved into the `theme.*` tree, we are also going to move the icons used for the links currently found under `theme.imagery.portalEntries` in this step.
|
||||
- We will explicitly set the [database schema configuration](https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Configuration/#HConfigurethenamesofdatabaseschemas) for XWiki to avoid the use of the `public` schema.
|
||||
- `persistance.storages.oxConnector.storageClassName` and `persistance.storages.nubusUdmListener.storageClassName` will be templated in Helmfile requiring you to template them explicitly if their current default values differs from the global value set in `persistence.storageClassNames.RWO`.
|
||||
- The currently used Helm chart for Notes will be replaced requiring some config updates.
|
||||
|
||||
# Automated migrations - Overview and mandatory upgrade path
|
||||
|
||||
@@ -117,11 +122,40 @@ If you would like more details about the automated migrations, please read secti
|
||||
|
||||
# Manual checks/actions
|
||||
|
||||
## v1.7.0+
|
||||
|
||||
### Post-upgrade to v1.7.0+
|
||||
|
||||
#### Upstream fix: Provisioning of functional mailboxes
|
||||
|
||||
**Target group:** Deployments with OX App Suite that make use of IAM maintained functional mailboxes.
|
||||
|
||||
The update of OX Connector included in openDesk 1.7.0 fixes an issue with the provisioning of IAM maintained functional mailboxes. If your deployment makes use of these mailboxes it is recommended to trigger a full sync of the OX App Suite provisioning by recreating the OX Connector's provisioning subscription using calls to the provisioning API that is temporary port-forwarded in the example below:
|
||||
|
||||
```shell
|
||||
export NAMESPACE=<your_namespace>
|
||||
export SUBSCRIPTION_NAME=ox-connector
|
||||
export SUBSCRIPTION_SECRET_NAME=ums-provisioning-ox-credentials
|
||||
export TEMPORARY_CONSUMER_JSON=$(mktemp)
|
||||
export PROVISIONING_API_POD_NAME=$(kubectl -n ${NAMESPACE} get pods --no-headers -o custom-columns=":metadata.name" | grep ums-provisioning-api | tr -d '\n')
|
||||
kubectl -n ${NAMESPACE} port-forward ${PROVISIONING_API_POD_NAME} 7777:7777 &
|
||||
export PROVISIONING_PORT_FORWARD_PID=$!
|
||||
sleep 10
|
||||
kubectl -n ${NAMESPACE} get secret ${SUBSCRIPTION_SECRET_NAME} -o json | jq '.data | map_values(@base64d)' | jq -r '."ox-connector.json"' > ${TEMPORARY_CONSUMER_JSON}.json
|
||||
export PROVISIONING_ADMIN_PASSWORD=$(kubectl -n ${NAMESPACE} get secret ums-provisioning-api-admin -o jsonpath='{.data.password}' | base64 --decode)
|
||||
# Delete the current subscription
|
||||
curl -o - -u "admin:${PROVISIONING_ADMIN_PASSWORD}" -X DELETE http://localhost:7777/v1/subscriptions/${SUBSCRIPTION_NAME}
|
||||
# Recreate the subscription
|
||||
curl -u "admin:${PROVISIONING_ADMIN_PASSWORD}" -H 'Content-Type: application/json' -d @${TEMPORARY_CONSUMER_JSON}.json http://localhost:7777/v1/subscriptions
|
||||
kill ${PROVISIONING_PORT_FORWARD_PID}
|
||||
rm ${TEMPORARY_CONSUMER_JSON}
|
||||
```
|
||||
|
||||
## v1.6.0+
|
||||
|
||||
### Pre-upgrade to v1.6.0+
|
||||
|
||||
#### Upstream contraint: Nubus' external secrets
|
||||
#### Upstream constraint: Nubus' external secrets
|
||||
|
||||
**Target group:** Operators that use external secrets for Nubus.
|
||||
|
||||
|
||||
@@ -1310,6 +1310,8 @@ nubusStackDataUms:
|
||||
portalLinkFeedback: {{ .Values.functional.portal.linkFeedback | quote }}
|
||||
oxDefaultContext: "1"
|
||||
oxContextHidden: true
|
||||
oxSystemUserPassword: {{ .Values.secrets.nubus.ldapSearch.ox }}
|
||||
portalOxLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
|
||||
ldapSearchUsers:
|
||||
{{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
|
||||
- username: {{ printf "ldapsearch_%s" $username | quote }}
|
||||
|
||||
@@ -406,7 +406,7 @@ appsuite:
|
||||
com.openexchange.mail.login.resolver.ldap.contextNameAttribute: "oxContextIDNum"
|
||||
com.openexchange.mail.login.resolver.ldap.entitySearchFilter: "(&(oxContextIDNum=[cid])(uid=[uname]))"
|
||||
com.openexchange.mail.login.resolver.ldap.mailLoginAttribute: "entryUUID"
|
||||
# Requirements for OX-Connector
|
||||
# Requirements for OX Connector
|
||||
com.openexchange.user.enforceUniqueDisplayName: "false"
|
||||
com.openexchange.folderstorage.database.preferDisplayName: "false"
|
||||
# Mailfilter
|
||||
|
||||
@@ -65,7 +65,7 @@ resourcesWaitForDependency:
|
||||
|
||||
persistence:
|
||||
size: {{ .Values.persistence.storages.oxConnector.size | quote }}
|
||||
storageClass: {{ coalesce .Values.persistence.storages.oxConnector.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
|
||||
#storageClass: {{ coalesce .Values.persistence.storages.oxConnector.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
|
||||
|
||||
podAnnotations:
|
||||
{{ .Values.annotations.nubusOxConnector.pod | toYaml | nindent 2 }}
|
||||
|
||||
@@ -419,7 +419,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "ox-connector"
|
||||
version: "0.19.0"
|
||||
version: "0.27.2"
|
||||
verify: true
|
||||
postfix:
|
||||
# providerCategory: "Platform"
|
||||
|
||||
@@ -578,7 +578,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "10", "0"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
|
||||
tag: "0.11.1@sha256:e57df5c02d0480ccf1d299964e3c676d92440d5e959b4f587945f08624da3ae9"
|
||||
tag: "0.27.2@sha256:7bb54f5ae0e797172fb92bd7a8a479f179ebd51c1fb5af98fa7b6025f9ffaca4"
|
||||
nubusPortalConsumer:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -896,7 +896,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "4", "2"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-connector-standalone"
|
||||
tag: "0.19.0@sha256:447e3c3e0cdd8bf1f86004d2088c24fcf6141ff6fef78ade8dfe86f7f16ba40e"
|
||||
tag: "0.27.2@sha256:4753a1d4a01acb7c6946fc9c8596fd328afe0d3c0b3098adfe85cef89fb1b7d7"
|
||||
postfix:
|
||||
# providerCategory: "Platform"
|
||||
# providerResponsible: "openDesk"
|
||||
|
||||
@@ -46,6 +46,7 @@ persistence:
|
||||
#storageClassName: ""
|
||||
oxConnector:
|
||||
size: "1Gi"
|
||||
# This value is not passed on to the related Helm chart yet, but required for linting purposes.
|
||||
storageClassName: ~
|
||||
postfix:
|
||||
size: "1Gi"
|
||||
|
||||
Reference in New Issue
Block a user